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Implementation of the Fair and Accurate Credit 
Transactions (FACT) Act of 2003 



Summary 

On December 4, 2003, the President signed the Fair and Accurate Credit 
Transactions (FACT) Act of 2003 (P.L. 108-159), which included a number of 
amendments to the Fair Credit Reporting Act (FCRA) aimed at protecting the privacy 
of the information in a consumer’s credit report, assisting victims of identity theft, 
and preventing fraudulent credit transactions. Many provisions of the act required 
implementation by the Federal Trade Commission and the federal banking agencies. 
This report provides an overview of the rulemaking proceedings implementing the 
major provisions of the FACT Act. It will be updated as events warrant. 
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Implementation of the Fair and Accurate 
Credit Transactions (FACT) Act of 2003 



Background 

As the preemption provisions of the Fair Credit Reporting Act (FCRA) were set 
to expire at the end of 2003, both the House and Senate revisited the entire Act, 
holding a series of hearings on various issues related to consumer credit, the credit 
reporting system, and financial privacy. These hearings culminated in the passage 
of the Fair and Accurate Credit Transactions (FACT) Act of 2003. 1 

On December 4, 2003, the President signed the Fair and Accurate Credit 
Transactions (FACT) Act of 2003, which became Public Law 108-159. The act 
included a number of amendments to the Fair Credit Reporting Act (FCRA) aimed 
at protecting the privacy of the information in a consumer’s credit report, assisting 
victims of identity theft, and preventing fraudulent credit transactions. Many 
provisions of the act required implementation by the Federal Trade Commission and 
the federal banking agencies. This report provides an overview of the rulemaking 
proceedings implementing the major provisions of the FACT Act. 



Final Rules 

Free Annual File Disclosures 

On June 24, 2004, the Federal Trade Commission (FTC) issued its final rule 
implementing the provision of the FACT Act providing for free annual disclosures 
of consumer credit reports. 2 Under the FACT Act, nationwide credit reporting 
agencies (CRAs) are required to make all disclosures pursuant to FCRA section 609 3 
in a consumer report available free of charge once during any 12-month period. 4 All 
information in the consumer’s file at the time of the consumer’s request must be 
disclosed, and disclosure must be mailed within 15 days of when the request was 



1 For more information about the House and Senate legislation leading to the Fair and 
Accurate Credit Transactions Act of 2003, see CRS Report RL32 12 1 , Fair Credit Reporting 
Act: A Side-by-Side Comparison of House, Senate and Conference Versions. 

2 69 FR 34562 (June 24, 2004). 

3 15U.S.C. 168 lg. 

4 For more information on the free credit report provisions of the FCRA and the FACT Act, 
see CRS Report RL32008, A Consumer’ s Access to a Free Credit Report: A Legal and 
Economic Analysis. 
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received. 5 The FACT Act directed the FTC to promulgate rules establishing a 
centralized source through which consumers may request free annual file disclosures 
from each nationwide consumer reporting agency, a standardized form for these 
requests, and a streamlined process for consumers to request free annual file 
disclosure from nationwide specialty reporting agencies. 

Under the final rule, the centralized source includes a centralized Internet 
website, a toll-free telephone number, and a postal address. It is estimated there will 
be 30.4 million requests yearly, 75% or 22.8 million by internet, 24% or 4 million by 
telephone, and 1% or 166,000 by mail. To accommodate the initial volume of 
requests when the rule becomes effective, availability will roll out from west to east 
beginning December 1, 2004 and ending in nationwide availability on September 1, 
2005. During periods of extraordinary request volume, requests may be redirected 
or declined so long as nationwide CRAs implement reasonable procedures to 
anticipate and respond to consumer demand. 

In order to strike a balance between ease of use of the centralized source and 
maintaining adequate identification and authentication procedures against fraud and 
identity theft, the FTC limits the collection of authentication and information 
collection to that which is “reasonably necessary.” This may include but does not 
require consumers to provide their social security numbers. It is the FTC’s position 
that a flexible standard that adapts over time is the most effective way to ensure that 
proper procedures are implemented. 

Furnishing of Negative Information 

Section 217 of the FACT Act requires that if any financial institution (1) 
extends credit and regularly and in the ordinary course of business furnishes 
information to a nationwide consumer reporting agency, and (2) furnishes negative 
information to such an agency regarding credit extended to a customer, the institution 
must provide a clear and conspicuous notice in writing to the customer with 30 days 
of furnishing the negative information. 6 There is a safe harbor for failure to perform 
if, at the time of the failure, the institution maintained reasonable policies and 
procedures to comply with the section if the institution reasonably believed that it 
was prohibited by law from contacting the customer. 

The FACT Act directed the Board of Governors of the Federal Reserve System 
to publish a concise model notice not exceeding 30 words that financial institutions 
may but are not required to use to comply with the notice requirement. On June 15, 
2004, the Board published two model notices, one for use when notice to the 
customer precedes the provision of negative information to a CRA, and one for use 
if notice follows the provision of negative information. 7 The two model notices are 
as follows: 



5 15U.S.C. 168 lg(a)(l). 

6 Negative information is defined as information concerning a customer ’ s delinquencies, late 
payments, insolvency, or any form of default. P.L. 108-159, Sec. 217(a). 

7 69 FR 33281 (June 15,2004). 
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We may report information about your account to credit bureaus. Late 
paymen ts, missed paymen ts, or other defaults on your accoun t may be reflected 
in your credit report. 

We have told a credit bureau about a late payment, missed payment or other 
default on your account. This information may be reflected in your credit report. 

Provisions Related to Identity Theft 

On November 3, 2004, the FTC released its final rule establishing definitions 
for “identity theft” and “identity theft report;” clarifying what constitutes “appropriate 
proof of identity” for purposes of the FCRA, as amended by the FACT Act; and 
establishing the duration of an active duty alert created pursuant to the FACT Act. s 

Definition of Identity Theft. The FACT Act confers rights on victims of 
identity theft to assist them in resolving problems cause by identity theft. 9 Defining 
identity theft determines who may avail themselves of the rights conferred by the act. 

The FACT Act defines “identity theft” as “a fraud committed using the 
identifying information of another person” subject to further definition by the FTC. 10 
The FTC’s final rule defines “identity theft” as “a fraud committed or attempted 
using the identifying information of another person without authority.” 11 The 
inclusion of “attempted” in the definition will allow both victims and intended 
victims to avail themselves of the protections provided under the act to have 
unauthorized inquiries removed from their consumer reports and to have an “initial 
fraud alert” placed in their file. 

Definition of Identity Theft Report. Under section 605A of the FCRA, as 
amended by the FACT Act, victims who provide an identity theft report to consumer 
reporting agencies can request an extended fraud alert on their files. An extended 
fraud alert lasts seven years and notifies users that the consumer may be a victim of 
fraud or identity theft and requires users to contact the consumer before extending 
credit. An identify theft report may also be provided by consumers to consumer 
reporting agencies to have information resulting from identity theft blocked from 
consumer reports, and by consumers to information furnishers to prevent information 
furnishers from continuing to provide information resulting from identity theft to the 
consumer reporting agencies. 

The FTC’s final rule defines “identity theft report” as a report that “alleges 
identity theft with as much specificity as the consumer can provide;” and has been 
filed by the consumer with a federal, state, or local law enforcement agency. 12 The 
report may also include additional information as requested by an information 



8 69 FR 63922 (November 3, 2004). 

9 P.L. 108-159, Title 1. 

10 P.L. 108-159, Sec. 111. 

11 69 FR at 63933. 

12 69 FR at 63933. 
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furnisher or consumer reporting agency. The final rule allows information furnishers 
or consumer reporting agencies to make reasonable requests for additional 
information for the purpose of determining the validity of the identity theft no later 
than fifteen business days after receiving the law enforcement agency report or the 
consumer’s request, whichever is later. 

Appropriate Proof of Identity. Section 112(b) of the FACT Act requires 
the FTC to determine what constitutes appropriate proof of identity for the purposes 
described above. In it’s proposed rule, the Commission found that the two greatest 
risks of misidentification are that the file of the requesting consumer is confused with 
another consumer’s file, or that a person pretending to be the consumer makes the 
request successfully. The FTC noted that the risks vary over time, by the method 
through which requests are made (internet, phone, mail), and between consumer 
reporting agencies. Considering the nature of the risks, the FTC determined that the 
consumer reporting agencies were in the best position to assess the risks associated 
with misidentification, and it proposed to require them to develop reasonable 
requirements to identify consumers in accordance with the risk of harm from 
misidentification. 

The final rule follows the Commission’s original proposal, but also imposes 
certain requirements on the consumer reporting agencies and provides examples of 
the types of information that may be used to prove identity. 13 Under the final rule, 
the consumer reporting agencies must “ensure that the information is sufficient to 
enable the consumer reporting agency to match consumers with their files; and adjust 
the information to be commensurate with an identifiable risk of harm arising from 
misidentifying the consumer.” 14 Examples of the type of information that may be 
used include the consumer’s full name, any other previously used names, current 
and/or recent full address, the full nine digits of the social security number, and date 
fo birth. Additional proof of identity may include copies of government issued 
identification documents, utility bills, and answers to questions to which only the 
consumer may be expected to know the answer. 

Duration of an Active Duty Alert. Under the FACT Act, military personnel 
deployed in situations where they are unlikely to be able either to apply for credit or 
to monitor their financial accounts may place active duty alerts in their files 
maintained by nationwide consumer reporting agencies. The act sets a minimum 
period of 12 months for the duration of the active duty alert, but requires the FTC to 
determine if this period should be longer. 

The FTC’s final rule abides by the duration of 12 months. 15 However, the 
Commission notes that service members deployed for longer than 12 months may 
request subsequent alerts. 



13 69 FR at 63933. 

14 69 FR at 63933 - 63934. 

15 69 FR at 63933. 
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Disposal of Consumer Information 

On November 24, 2004, the FTC issued its final rule regarding the proper 
disposal of consumer report information and records as required under section 216 
of the FACT Act. 16 

The Federal Trade Commission’s new rule requires “any person who maintains 
or otherwise possesses consumer information for a business purpose” to “properly 
dispose of such information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its disposal.” 17 
The final rule includes examples of standards and practices that would constitute 
reasonable measures in compliance with the requirement articulated above. Such 
reasonable measures could include, but are not limited to the following: 1) the 
implementation of and monitoring of compliance with policies and procedures that 
require the burning, pulverizing, or shredding of papers containing consumer 
information; 2) the implementation of and monitoring of compliance with policies 
and procedures that require the destruction or erasure of electronic media containing 
such information; and 3) after due diligence, entering into a contract with another 
party engaged in the business fo record destruction to dispose of such material. 
Persons subject to the Gramm- Leach-Bliley Act and the Commission’s Safeguards 
Rule can incorporate the disposal of consumer information into the information 
security program required by the Safeguards Rule. 18 

On November 29, 2004, the National Credit Union Administration (NCUA) 
issued a final rule to implement section 216 of the FACT Act by amending its fair 
credit reporting and security program regulations and NCUA’s Guidelines for 
Safeguarding Member Information. 19 The new rule generally requires federal credit 
unions (FCUs) to develop and maintain controls designed to ensure proper disposal 
of consumer information as part of their information security programs. Examples 
of what constitutes proper disposal mirror those articulated by the Federal Trade 
Commission. 

On December 28, 2004, the OCC, FRS, FDIC, and OTS (the Agencies) issued 
a final rule to implement section 216 of the FACT Act by amending the Interagency 
Guidelines Establishing Standards for Safeguarding Customer Information. 20 The 
new rule amends paragraph n.B of the Guidelines by adding proper disposal of 
consumer information to the list of objectives. To reach this objective, each 
institution must, as part of its information security program, develop, implement, and 
maintain measures to properly dispose of consumer information to guard against 
identity theft. 



16 69 FR 68690 (November 24, 2004). 

17 69 FR at 68697. 

18 See 16C.F.R. part 314. 

19 69 FR 69269 (November 29, 2004). 

20 69 FR 77610 (December 29, 2004). See also 69 FR 71322 for a discussion of the SEC’s 
implementation of the disposal requirements under section 216 of the FACT Act. 
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Proposed Rules 



Affiliate Marketing 

Section 214(a) of the FACT Act amended the FCRA by adding a new section 
624, which the proposed rule seeks to implement by providing for consumer notice 
and an opportunity to prohibit affiliates from using certain information to make or 
send marketing solicitations to the consumer. Section 624 governs the use of 
information by an affiliate, not the sharing of information with or among affiliates, 
which is the subject of section 603(d)(2)(A)(iii). 21 Though there is some overlap 
between the two opt-out provisions, they serve distinct purposes. 

Section 624 does not specify which affiliate must give the consumer notice and 
opportunity to opt out of the use of the information by an affiliate for marketing 
purposes. Section 214 (b)(2) of the FACT Act requires the FTC to consider existing 
affiliate sharing notification practices and to provide for coordinated and 
consolidated notices, and section 214 allows for the combination of affiliate 
marketing opt-out notices with other notices required by law such as privacy notices. 
Therefore, the FTC proposes that the person communicating the information should 
be responsible for satisfying the notice requirement where applicable because that is 
the person that would likely provide the affiliate sharing opt-out notice under section 
603(d)(2)(A)(iii) of the FCRA and other disclosures required by law. 22 

The proposed rule also defines the type of information that consumers are able 
to bar affiliates from using to send marketing solicitations, referring to such 
information as “eligibility information.” Under the proposed rule, “eligibility 
information” could include “a person’s own transaction or experience information, 
such as information about a consumer’s account history with that person, and other 
information, such as information from credit bureau reports or applications.” 23 

Under the proposed rule, the Commission has determined that a person must 
give a consumer a reasonable opportunity to opt-out following delivery of the opt-out 
notice. The proposal provides examples of what may constitute a reasonable 
opportunity to opt-out, and establishes a 30-day safe harbor period in certain 
situations. 



21 Section 603 (d)(2) (A) (iii) provides that a person may communicate non-transaction or 
experience information that would otherwise be a consumer report among its affiliates 
without becoming a consumer reporting agency if the person has given the consumer both 
a clear and conspicuous notice that such information may be communicated among affiliates 
and an opportunity to opt-out of such communications, and the consumer has not opted out. 

22 69 FR 33324 (June 15, 2004). 

23 Id. 
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The federal banking agencies and the Securities and Exchange Commission 
have issued proposed rules that appear to be substantially similar to those proposed 
by the Federal Trade Commission. 24 

Reporting of Medical Information 

On April 28, 2004, the Office of Thrift Supervision of the Department of the 
Treasury (OTS), the Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), and the National Credit Union Agency (NCUA), published 
proposed regulations implementing section 411 of the FACT Act, restricting the 
circumstances under which consumer reporting agencies may furnish consumer 
reports containing medical information about consumers. 25 

Section 411(a) of the FACT Act added several new sections to the FCRA. 
Among these, new section 604(g)(1) restricts the furnishing by consumer reporting 
agencies of consumer reports containing medical information about consumers to 
the following three circumstances: (1) the report is furnished in connection with an 
insurance transaction with the consumer’s affirmative consent; (2) the report is 
furnished either for employment purposes or in connection with a credit transaction, 
the information is relevant to process the employment or credit transaction, and the 
consumer provides written consent describing in clear and conspicuous language the 
use for which the information will be furnished; or (3) the information pertains solely 
to transactions, accounts, or balances relating to debts arising from the receipt of 
medical services, products, or devices, where such information is not sufficient to 
allow inference of the specific provider or nature of the services. 

The new section 604(g)(2) prohibits creditors from obtaining or using medical 
information pertaining to a consumer in connection with any determination of the 
consumer’s eligibility or continued eligibility for credit. 

A final new section — 604(d)(3) — eliminates the standard exclusions 
permitting sharing transaction or experience information among affiliates after notice 
and an opportunity to opt-out where medical-related information is concerned. 

The Agencies propose two things. 26 First, they propose to create exceptions to 
the general prohibition against obtaining or using medical information in connection 
with credit eligibility determinations. Also, they propose to create additional 
exceptions to the restrictions on sharing medical-related information with affiliates. 
The Agencies believe the exceptions are necessary and appropriate to protect 
legitimate operational, transactional, risk, consumer, and other needs and are 
consistent with congressional intent to restrict the use of medical information for 
inappropriate purposes. 



24 See 69 FR 42502 (July 15, 2004); 69 FR 42302 (July 14, 2004). 

25 69 FR 23380 (April 28, 2004). 

26 Id. 




